EXHIBIT A

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into by and between the Customer and the Provider (each a “Party,” and collectively, the “Parties”) and forms an integral part of the Service Agreement (the “Agreement”). This DPA applies solely to the extent that Provider processes EU Personal Data on behalf of Customer in the course of providing the Services under the Agreement.

1. Definitions

Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Agreement. For purposes of this DPA:

- “Data Protection Laws” means the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), any applicable laws implementing or supplementing the GDPR, and any other applicable data protection or privacy laws. 
- “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. 
- “Processor” means the natural or legal person which processes Personal Data on behalf of the Controller. 
- “EU Personal Data” means any Personal Data that is subject to the GDPR and relates to individuals located in the EEA. 
- “Sub-processor” means any third party engaged by Provider to process EU Personal Data.

2. Roles and Scope

- Provider shall process EU Personal Data solely as a Processor on behalf of Customer, who acts as Controller, in accordance with Customer’s documented instructions and the terms of the Agreement. 
- The nature and purpose of the processing, the types of EU Personal Data processed, and the categories of data subjects are described in Schedule 1 to this DPA.

3. Customer Instructions

Provider shall only process EU Personal Data on the documented instructions of Customer, unless required to do so by EU or Member State law. Customer instructs Provider to process EU Personal Data for the limited and specified purpose of providing the Services as described in the Agreement.

4. Confidentiality

Provider shall ensure that all personnel authorized to process EU Personal Data are subject to a duty of confidentiality and are trained in the handling of Personal Data.

5. Security Measures

Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing of EU Personal Data, including, where appropriate:
- Pseudonymization and encryption of Personal Data 
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems 
- Ability to restore availability and access in a timely manner 
- Regular testing and evaluation of effectiveness

6. Sub-processors

- Provider may engage Sub-processors to process EU Personal Data on Customer’s behalf. 
- Provider shall impose data protection obligations on any Sub-processor that are materially similar to those in this DPA. 
- Upon written request, Provider shall make available a list of current Sub-processors. Customer may object to a new Sub-processor on reasonable grounds.

7. Data Subject Rights

Provider shall, to the extent reasonably possible, assist Customer in responding to requests from data subjects to exercise their rights under the GDPR, including access, correction, restriction, erasure, and data portability.

8. Assistance and Breach Notification

- Provider shall notify Customer without undue delay upon becoming aware of a Personal Data breach involving EU Personal Data. 
- Provider shall assist Customer in meeting its obligations under the GDPR, including data protection impact assessments and consultations with supervisory authorities.

9. Data Transfers

Provider shall not transfer EU Personal Data to a third country outside the EEA unless:
- The transfer is made in accordance with Customer’s instructions and 
- Appropriate safeguards (e.g., Standard Contractual Clauses or adequacy decisions) are in place.

10. Audit Rights

Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for reasonable audits by Customer or a designated auditor (subject to reasonable notice and confidentiality obligations).

11. Return or Deletion of Data

Upon termination or expiration of the Agreement, Provider shall, at Customer’s election, return or delete all EU Personal Data, unless otherwise required to retain it by applicable law.

12. Precedence

In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the processing of EU Personal Data.

Schedule 1 – Description of Processing

  • Subject Matter: Processing of EU Personal Data in connection with the provision of analytics, reporting, and dashboard services.  

  • Duration: For the term of the Agreement, unless otherwise required by law.  

  •  Nature and Purpose: Hosting, analysis, reporting, and export of customer data; application of proprietary modeling to data inputs.  

  • Types of EU Personal Data: Name, email address, IP address, survey responses, and other identifiers or analytics inputs.  

Categories of Data Subjects: End users, customers, club personnel, and other individuals as defined by Customer’s data sources.